In a FGCP cluster trying to get session sync traffic over the dedicated interface with the set session-sync-dev command. But the corresponding diagnose output seems to indicate it doesn't work.
fgt1 (root) # diagnose sys ha session-sync-dev
HA sessync ports: 1
dmz probe: HA probe, Standalone connected, peer_mac = 00:00:00:00:00:00
HB pkts: rx=0, tx=508298
SES pkts: rx=0, tx=0
Seems to indicate HB packets are send, but none received. Also the status remains probe for HA.
The cluster is connect with a direct cable, no switch in between or such.Tried with other interfaces also, wan1, internal4, ...
Anyone has this working and different command (diagnose sys ha session-sync-dev) output? What are your counters and status?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
You are saying the hatalk is not working, hatalk is the one responsible for the heartbeat. Please check the crashlog "di de crashlog read" to see if the demon is failing. You can restart the process by using the command "fnsysctl killall hatalk". Run the following debug on both the Firewall to see the process
diag debug hatalk -1
diag debug console timestamp en
diag debug enable
To stop the debug use the command given below;
diag debug disable
diag debug reset
Article Reference:
---------------------------------------
Article Related to Session Sync;
That is FGSP related, I'm asking about FGCP.
The way I read the output the probes are send, but not received on the configured session-sync-dev. This the case on the primary and secondary FortiGate in the FGCP cluster.
The hatalk debug shows nothing odd, but can't be 100% sure it is fine either. Do feel the 10 second interval is much higher then I see HB packets send.
# diagnose debug application hatalk -1
# diagnose debug console timestamp enable
# diagnose debug enable
2024-11-05 20:00:03 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1730481069/1730833203
2024-11-05 20:00:13 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1730481069/1730833213
2024-11-05 20:00:23 <hatalk> vcluster_1: ha_prio=0(primary), state/chg_time/now=2(work)/1730481069/1730833223
It would be nice if Fortinet can publish correct looking debug output for cases like this.
..
Use the following configuration to create a data interface LAG. The members of the LAG can be any data interfaces that can be added to LAGs as supported by your FortiGate model.
config system interface
edit HA-session-lag
set type aggregate
set member port13 port14 port15 port16
set lacp-mode static
end
Note:
-------------------
You can only use a static mode LAG as the hardware session synchronization interface (lacp-mode
must be set to static
).
Use the following command to set the LAG as the FGCP HA hardware session synchronization interface.
config system ha
set session-pickup enable
set hw-session-sync-dev HA-session-lag
end
See if this solves your problem;
https://docs.fortinet.com/document/fortigate/7.6.0/hyperscale-firewall-guide/232377
Thank you.
First time I have seen the hw-session-sync-dev mentioned.It seems a hyper scale firewall feature and this system isn't licensed for that. The options doesn't exist in system ha settings.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.